Brief. The BakerHostetler Data Security Incident Response Report 2015
|
|
- Edwin Flowers
- 8 years ago
- Views:
Transcription
1 Brief The BakerHostetler Data Security Incident Response Report 2015
2 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the breach. Most incidents are described publicly with attention-grabbing terms such as hack or breach, but those terms are inadequate to describe the diversity of incidents companies are facing. Though there is some speculation that breach fatigue is setting in, high-profile incidents continue to grab headlines. Privacy and data security issues are firmly entrenched as a significant public and regulatory concern and a risk/opportunity that executive leadership and boards of directors must confront. In this climate of heightened awareness, the forensic investigation firms we work with release annual reports identifying trends from their prior year investigations. Because of the value we have found in these annual reports when working to help companies become better prepared to detect and respond to incidents, we decided to begin issuing our own annual reports to enhance the discussion of the nature of the threats faced by companies, as well as detection and response trends, and the consequences that follow. This inaugural 2015 BakerHostetler Security Incident Response report provides insights generated from our review of the more than 200 incidents on which BakerHostetler s award-winning Privacy and Data Protection Team advised clients in Our report is based on data for incidents affecting more than 160 clients and includes dates of incident, discovery and notification, the number of individuals notified, data at risk, mitigation solutions, regulatory and law enforcement involvement, vulnerability types, the use of support services, and postnotification consequences. We hope that this report will assist companies in becoming compromise ready.
3 No Industry is Immune but Frequency and Severity Differ Education Financial Services Real Estate Retail/Hospitality Other Government Retail/Hospitality Professional Services Other Healthcare Healthcare Professional Services Frequency Severity Incidents do not discriminate they affect all industries. Why? Because they do not occur only to companies that have payment card data or protected health information (PHI). All companies have employee data and disruptive malware is prevalent. Websites are defaced by politically motivated hacktivists and attacks are initiated by cybercriminals looking for profit or intellectual property. Our 2014 data set confirms this, with all industries represented. The sectors affected the most were education, financial services, real estate, retail/hospitality, professional services, and healthcare. Tens of thousands of incidents involving PHI have been reported since HITECH s breach notification requirement went into effect in 2009, so it is no surprise that by frequency, healthcare tops our list. While PHI incidents are disclosed more frequently, driven in part by HIPAA presumption that a breach occurred, the severity when measured by number of affected individuals is often less (many incidents affect less than 10 people). It is also not surprising that professional services and retail/hospitality services providers top the list when it comes to severity. And because incidents affecting these sectors often require forensic investigation and draw more media coverage, the cost and potential financial consequences are dramatically higher on a per-incident basis.
4 Human Error is Most Often to Blame If you read the annual reports of forensic firms you will see that phishing and spear-phishing is the predominant method used to attack companies. Because not all incidents involve an external attack (we engaged a forensic firm in 30 percent of the incidents on which we worked), our list of the top five causes of an incident is a little different. These causes are: 1 employee negligence; 2 external theft of a device; 3 employee theft; 4 phishing; and 5 malware. The large number of the incidents we saw in 2014 that included employee negligence as part of the primary underlying cause is proof that companies cannot eradicate security risk solely through the use of better technology. Sure, encrypting portable devices can help in cases where employees leave devices in unlocked cars, but technical security solutions do not stop employees from being phished, failing to review logs, or improperly configuring servers. Companies must match security solutions that provide defense-in-depth with detection capabilities as well as employee training and awareness driven by the right tone from the top and appropriate information security policies and procedures. Number of Incidents (Percent) % 22% Outsiders 16% 14% 11% Insiders 0 Employee Negligence Theft Malware Phishing A definitive cause was determined for 139 of the incidents. In those cases, 51 (37 percent) could be attributed to employee negligence. Theft was the cause of 53 incidents (38 percent), 31 (22 percent) by outsiders and 22 (16 percent) by insiders. Malware was responsible for 20 incidents (14 percent) and phishing for only 15 (11 percent). Why Rapid Detection is Critical Forensics firms continue to report that as many as two-thirds of the incidents they investigate are not self-detected by the company. Our data showed the opposite. Incidents were discovered by our clients as opposed to a third party 64 percent of the time. Of the 36 percent discovered by third parties, 27 percent were due to theft. We cannot stress enough the need for companies to spend sufficient time and resources developing their detection capabilities. Timing is crucial at all stages of an incident response. An incident needs to be detected and the cause identified as quickly as possible. If a company is slow to detect, or worse, does not selfdetect, it will face at least four major issues:
5 1 The company misses an opportunity to block the attack before it gets to critical data and is slower to mitigate potential harm to the company and affected individuals; 2 Forensic data that could be used to precisely determine what occurred, and thereby limit the scope of at-risk data and offer some reassurance to affected individuals, may be lost (e.g., logs are overwritten); 3 If the data is actually used for fraud or identity theft, signs of the misuse may be detected by third parties, which can lead to the story breaking publicly before the company is aware of the incident; and 4 When third parties break the story, the company often is forced to discuss the incident before it can investigate and contain the incident and then explain what occurred, who is affected, what mitigation services it is offering, and what it is doing to prevent the issue from occurring again. As a result, the company is more likely to be viewed as not handling the incident well. Companies that face this scenario often say too much too soon in an effort to reassure or deflect, which often then leads to more intense scrutiny and an increased likelihood of adverse consequences. Detection Times Must be Shortened Of the incidents in which we identified the dates of detection and notification, the average amount of time that elapsed from incident occurrence to detection was 134 days. Many of the incidents we worked on involved PHI, for which notification is required within 60 days of discovery. On average, notification was made to affected individuals within 50 days of the time the company became aware of the incident. It s Not Just Electronic Records at Risk Often it is assumed that data security incidents are unique to electronic data, but this is not always the case. Of the incidents we handled in 2014, 21 percent involved paper records. Whether paper or electronic, the data at risk that led to the decision to notify in 58 percent of our incidents was data subject to state breach notification laws, such as Social Security or driver s license numbers and financial account information. Health information was affected in 34 percent of the incidents and eight percent involved payment card data % Paper 42% Not Required 58% Other Number of Incidents (Percent) % Electronic 58% Notification Required 8% Credit Card 34% 0 Health Information
6 What Happens After the Incident? We work with clients to find ways to prevent or mitigate the misuse of data at risk. Not only does this help the company mitigate potential liability, it can be part of the company s effort to restore its relationship with customers or patients. In the incidents we handled, credit monitoring was offered 67 percent of the time. Still, credit monitoring may not always be the right solution (e.g., it will not prevent unauthorized charges from being made on a payment card). Not Offered 33% Offered 67% 67% In of the cases credit monitoring was offered Many assume litigation always occurs after an incident is disclosed. But of 75 incidents where notification letters were mailed or substitute notification was posted, only five of the companies were sued by potentially affected individuals. Another consequence that follows notification is regulatory action. Of the matters we handled, attorneys general were notified in 59 cases and inquiries were made 31 percent of the time. A multi-state inquiry was initiated less than 5 percent of the time, with the number of investigations involving healthcare and merchants being evenly split. Total Notifications Inquiries 31% Multi State Inquiries 5% to Merchants who $3 have payment $25 card data stolen from them or from one of their vendors may face non-compliance fines, case management fees, and assessments to reimburse issuing banks for the cost of issuing new cards as well as the incremental fraud that occurred on the stolen cards. We saw fines and assessments from all four card brands in The PCI DSS non-compliance fines ranged from $5,000 to $50,000. The initial demand for operating expense and fraud assessments ranged from $3 to $25 per card involved. to $5,000 $50,000 The PCI DSS non-compliance fines ranged from $5,000 to $50,000. to $3 $25 The initial demand for operating expense and fraud assessments ranged from $3 to $25 per card involved.
7 In healthcare, when a breach involving more than 500 individuals is reported, our experience is that the Department of Health and Human Services Office for Civil Rights (HHS OCR) initiates an investigation 100 percent of the time. In breaches involving fewer than 500 individuals, an investigation is commenced in just a very small percentage of those breaches. Of the more than 80 HHS OCR investigations we have helped clients defend, just one has resulted in a resolution agreement. In 2014, we helped clients defend against more than 28 investigations initiated by HHS OCR. After the report of a breach, regulators most often ask to review: Copies of policies and procedures governing privacy and security; Evidence of education and awareness programs, including attendance logs; Risk assessments conducted by the organization over a several-year period preceding the incident; Risk mitigation plans developed as a result of the risk assessments; Vendor/Business Associate agreements in place, regardless of whether a vendor caused the breach; and Copies of disaster recovery and business continuity plans. What Proactive Steps Should Companies Take? Because it is not if but when an incident will occur, companies can become compromise ready by taking the following steps: Developing an incident response plan and practicing execution of the plan with tabletop exercises; Working with an experienced security consultant to conduct security assessments (to understand where assets and sensitive data are located); Implementing reasonable security and detection capabilities based on the recommendations of the consultant; Gathering threat intelligence to understand the nature of current risks; Conducting personnel training and awareness-raising activities to reduce the chance that an incident will result from employee negligence and those incidents that do occur will be quickly identified; Undertaking vendor due diligence and contract analysis, to reduce the chance that an incident will be caused by a company s business contacts; and Maintaining ongoing diligence, updating and adapting to changing risks, to proactively guard against evolving and emerging threats. A board of directors addressing cybersecurity should consider the following oversight actions: Forming a risk committee; Engaging a cyber adviser ; Reviewing risk assessments; Evaluating whether the company has the right roles in its structure, including Chief Privacy Officer, Chief Information Security Officer and Chief Risk Officer, to oversee and carry out its privacy and security policies and plans; Evaluating privacy and security budgets to make sure that sufficient resources are in place to protect against and respond to data security incidents; and Addressing the opportunity for risk shifting through effective cyberinsurance coverage.
8 Theodore J. Kobus New York Gerald J. Ferguson New York Craig A. Hoffman Cincinnati Lynn Sessions Houston Tanya Forsheit Los Angeles Randal L. Gainer Seattle bakerlaw.com BakerHostetler is one of the nation s leading law firms with more than 900 attorneys coast to coast, delivering the highest-quality legal counsel on the most complex and critical issues facing clients today. The firm has offices in Atlanta, Chicago, Cincinnati, Cleveland, Columbus, Costa Mesa, Denver, Houston, Los Angeles, New York, Orlando, Philadelphia, Seattle, and Washington, D.C. Baker & Hostetler LLP publications inform our clients and friends of the firm about recent legal developments. This publication is for informational purposes only and does not constitute an opinion of Baker & Hostetler LLP. Do not rely on this publication without seeking legal counsel Attorney Advertising
cyber liability insurance.
1 of 8 4/23/2016 2:49 PM (http://www.xtelligentmedia.com) Become a member Login HealthITSecurity /) Home /) News /news) Features /features) HIPAA and Compliance /topic/hipaa) EHR Security /topic/ehr-security)
More informationPrivacy Rights Clearing House
10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights
More informationIs Your Organization Compromise Ready? 2016 Data Security Incident Response Report
Is Your Organization Compromise Ready? 2016 Data Security Incident Response Report SUMMARY Incident Response Trends The trends from last year s inaugural BakerHostetler Data Security Incident Response
More informationPayment Card Industry Update and Cyber Risk Management
Payment Card Industry Update and Cyber Risk Management CRAIG A. HOFFMAN, ESQ. BAKERHOSTETLER ADAM COTTINI, MANAGING DIRECTOR, CYBER LIABILITY PRACTICE, ARTHUR J GALLAGHER & CO. OCTOBER 22, 2015 2014 ARTHUR
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationThe Anthem Breach: What Employers Need to Know. February 11, 2015
The Anthem Breach: What Employers Need to Know February 11, 2015 Who We Are Privacy and Data Protection Team Named Practice Group of the Year by Law360 Chambers USA 2014 Nationally-Ranked Privacy and Data
More informationRetail Roundtable: Payment System Cyber Attacks Preparing, Protecting, and Responding. June 11, 2014
Retail Roundtable: Payment System Cyber Attacks Preparing, Protecting, and Responding June 11, 2014 Panel Members Craig Hoffman Partner T: 513.929.3491 C: 513.227.3286 cahoffman@bakerlaw.com www.dataprivacymonitor.com
More informationPROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS
PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,
More informationData Breach Cost. Risks, costs and mitigation strategies for data breaches
Data Breach Cost Risks, costs and mitigation strategies for data breaches Tim Stapleton, CIPP/US Deputy Global Head of Professional Liability Zurich General Insurance Data Breaches: Greater frequency,
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationCyber Risks in the Boardroom
Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks in a Changing
More informationAuditing your institution's cybersecurity incident/breach response plan. Baker Tilly Virchow Krause, LLP
Auditing your institution's cybersecurity incident/breach response plan Objectives > Provide an overview of incident/breach response plans and their intended benefits > Describe regulatory/legal requirements
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationCybersecurity: Protecting Your Business. March 11, 2015
Cybersecurity: Protecting Your Business March 11, 2015 Grant Thornton. All LLP. rights All reserved. rights reserved. Agenda Introductions Presenters Cybersecurity Cybersecurity Trends Cybersecurity Attacks
More informationNetwork Security & Privacy Landscape
Network Security & Privacy Landscape Presented By: Greg Garijanian Senior Underwriter Professional Liability 1 Agenda Network Security Overview -Latest Threats - Exposure Trends - Regulations Case Studies
More informationZip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.
Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationHIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com
HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health
More informationCybersecurity Workshop
Cybersecurity Workshop February 10, 2015 E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA 23510 (757) 624-3153
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationCybersecurity and Hospitals. What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response
Cybersecurity and Hospitals What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response This resources was prepared exclusively for American Hospital Association members by Mary
More informationNerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.
Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million
More informationData Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked
Data Breach and Cybersecurity: What Happens If You or Your Vendor Is Hacked Linda Vincent, R.N., P.I., CITRMS Vincent & Associates Founder The Identity Advocate San Pedro, California The opinions expressed
More informationBest practices and insight to protect your firm today against tomorrow s cybersecurity breach
Best practices and insight to protect your firm today against tomorrow s cybersecurity breach July 8, 2015 Baker Tilly Virchow Krause, LLP Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More informationADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
More informationSINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry
SINGAPORE HEALTHCARE ENTERPRISE RISK MANAGEMENT CONGRESS 2014 - Data Breach : The Emerging Threat to Healthcare Industry DATA BREACH A FICTIONAL CASE STUDY THE FIRST SIGNS OF TROUBLE Friday, 5.20 pm :
More information2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security
2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationHIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
More informationHCCA Compliance Institute 2013 Privacy & Security
HCCA Compliance Institute 2013 Privacy & Security 704 Conducting a Privacy Risk Assessment A Practical Guide to the Performance, Evaluation and Response April 23, 2013 Presented By Eric Dieterich Session
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationGALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability
GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationRISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION
RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION October 23, 2015 THREAT ENVIRONMENT Growing incentive for insiders to abuse access to sensitive data for financial gain Disgruntled current and former
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationNew Privacy Laws Impacting the Health Care Work Place
New Privacy Laws Impacting the Health Care Work Place Presented by Thomas E. Jeffry, Jr., Esq. Arent Fox LLP Washington, DC New York, NY Los Angeles, CA November 12 & 19, 2009 Overview 1. Overview of California
More informationInformation Security and Risk Management
Information Security and Risk Management COSO and COBIT Standards and Requirements Page 1 Topics Information Security Industry Standards and COBIT Framework Relation to COSO Internal Control Risk Management
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationCYBER SECURITY SPECIALREPORT
CYBER SECURITY SPECIALREPORT 32 The RMA Journal February 2015 Copyright 2015 by RMA INSURANCE IS AN IMPORTANT TOOL IN CYBER RISK MITIGATION Shutterstock, Inc. The time to prepare for a potential cyber
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationA Privacy and Data Security Checklist for All
July 2015 Many companies know they have to follow privacy and data security rules. Companies in the health care industry know about Health Insurance Portability and Accountability Act (HIPAA). Financial
More informationInformation Security Addressing Your Advanced Threats
Information Security Addressing Your Advanced Threats Where We are Going Information Security Landscape The Threats You Face How To Protect Yourself This Will Not Be Boring What Is Information Security?
More informationHIPAA Cyber Security: Your Vendor is a Back Door to Your Server
HIPAA Cyber Security: Your Vendor is a Back Door to Your Server Prepared for the American Health Lawyers Association s Fraud and Compliance Forum held October 6, 2014 John E. Kelly, Esq. Member Bass, Berry
More informationInformation Security Incident Management Guidelines
Information Security Incident Management Guidelines INFORMATION TECHNOLOGY SECURITY SERVICES http://safecomputing.umich.edu Version #1.0, June 21, 2006 Copyright 2006 by The Regents of The University of
More informationA Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014
A Wake-Up Call? Fight Back Against Cybercrime Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014 1 Coalfire Background Leading Information Security Consulting Firm Offices: Atlanta,
More informationCyber and Privacy Risk What Are the Trends? Is Insurance the Answer?
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationInsulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact. February 10, 2015
Insulate Your Company from a Cyber Breach: Proactive Steps to Minimize Breach Risks & Impact February 10, 2015 Overview 1 The Legal Risks And Issues/The Role Of Legal Counsel: The Breach Coach The Slippery
More informationCybersecurity Executive Order
Cybersecurity Executive Order February 14, 2013 Michael DuBose, Kroll Advisory Solutions Gerald J. Ferguson, BakerHostetler Jason Straight, Kroll Advisory Solutions Theodore J. Kobus III, BakerHostetler
More informationDATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH
DATA BREACHES: WHEN COMPLIANCE IS NOT ENOUGH Andy Watson Grant Thornton LLP. All rights reserved. CYBERSECURITY 2 SURVEY OF CHIEF AUDIT EXECUTIVES (CAEs) GRANT THORNTON'S 2014 CAE SURVEY Data privacy and
More informationCybersecurity. Are you prepared?
Cybersecurity Are you prepared? First Cash, then your customer, now YOU! What is Cybersecurity? The body of technologies, processes, practices designed to protect networks, computers, programs, and data
More informationData Security Incident Response Plan. [Insert Organization Name]
Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security
More informationOctober 24, 2014. Mitigating Legal and Business Risks of Cyber Breaches
October 24, 2014 Mitigating Legal and Business Risks of Cyber Breaches AGENDA Introductions Cyber Threat Landscape Cyber Risk Mitigation Strategies 1 Introductions 2 Introductions To Be Confirmed Title
More informationTexas Medical Records Privacy Act
A COALFIRE PERSPECTIVE Texas Medical Records Privacy Act Texas House Bill 300 (HB 300) Rick Dakin, CEO & Co-Founder Rick Link, Director Andrew Hicks, Director Overview The State of Texas has pushed ahead
More informationBOARD OF GOVERNORS MEETING JUNE 25, 2014
CYBER RISK UPDATE BOARD OF GOVERNORS MEETING JUNE 25, 2014 EXECUTIVE SUMMARY Cyber risk has become a major threat to organizations around the world, as highlighted in several well-publicized data breaches
More informationWhite Paper on Financial Industry Regulatory Climate
White Paper on Financial Industry Regulatory Climate According to a 2014 report on threats to the financial services sector, 45% of financial services organizations polled had suffered economic crime during
More informationACE Advantage PRIVACY & NETWORK SECURITY
ACE Advantage PRIVACY & NETWORK SECURITY SUPPLEMENTAL APPLICATION COMPLETE THIS APPLICATION ONLY IF REQUESTING COVERAGE FOR PRIVACY LIABILITY AND/OR NETWORK SECURITY LIABILITY COVERAGE. Please submit with
More informationDATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE
DATA SECURITY BREACH: THE NEW THIRD CERTAINTY OF LIFE ACC-Charlotte February 4, 2015 THIS WILL NEVER HAPPEN TO ME! Death, Taxes & Data Breach Not just Home Depot, Target or Sony Do you employ the next
More informationAnatomy of a Privacy and Data Breach
Anatomy of a Privacy and Data Breach Understanding the Risk and Managing a Crisis Adam Kardash: Partner, Heenan Blaikie LLP Robert Parisi: Senior Vice President, Marsh Leadership, Knowledge, Solutions
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationCards at School. Why Banks View Campuses as High Risk Customers. Payments
Cards at School Why Banks View Campuses as High Risk Customers Dennis W. Reedy, CTP, Managing Director, Treasury Operations, Indiana University Walter Conway, Walter Conway Associates, LLC Accepting credit
More informationFINRA Publishes its 2015 Report on Cybersecurity Practices
Securities Litigation & Enforcement Client Service Group and Data Privacy & Security Team To: Our Clients and Friends February 12, 2015 FINRA Publishes its 2015 Report on Cybersecurity Practices On February
More informationHealthcare in the Crosshairs for Data Breaches. April 22, 2015. Deborah Hiser (512) 703-5718 deborah.hiser@huschblackwell.com
Healthcare in the Crosshairs for Data Breaches April 22, 2015 1 Presenters Deborah Hiser (512) 703-5718 deborah.hiser@huschblackwell.com Ana Cowan (512) 703-5791 ana.cowan@huschblackwell.com Debbie Juhnke,
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
More informationInsurance Considerations Related to Data Security and Breach in Outsourcing Agreements
Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements Greater New York Chapter Association of Corporate Counsel November 19, 2015 Stephen D. Becker, Executive Vice President
More informationCyber/Information Security Insurance. Pros / Cons and Facts to Consider
1 Cyber/Information Security Insurance Pros / Cons and Facts to Consider 2 Presenters Calvin Rhodes, Georgia Chief Information Officer Ron Baldwin, Montana Chief Information Officer Ted Kobus, Partner
More informationDATA BREACH RESPONSE READINESS Is Your Organization Prepared?
March 30, 2015 DATA BREACH RESPONSE READINESS Is Your Organization Prepared? Peter Sloan Pete Enko Jeff Jensen Deborah Juhnke The data security imperatives of Prevention, Detection, and Response do not
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationPristine Technology Solutions, Inc.
Pristine Technology Solutions, Inc. 25 Measures 1. CPOE for Medication Orders 2. Drug Interaction Checks Drug-Drug/Allergy 3. Maintain Problem List 4. Permissible Prescriptions - eprescribing 5. Active
More informationBeazley presentation master
The Art of Breach Management Beazley presentation master February 2008 A Brief Review of Data Breaches What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity
More informationMedical Information Breaches: Are Your Records Safe?
Medical Information Breaches: Are Your Records Safe? Learning Objectives At the conclusion of this presentation the learner will be able to: Recognize the growing risk of data breaches Assess the potential
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationDon t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks
Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationHIPAA Breach Notification Policy
HIPAA Breach Notification Policy Purpose: To ensure compliance with applicable laws and regulations governing the privacy and security of protected health information, and to ensure that appropriate notice
More informationWhat Data? I m A Trucking Company!
What Data? I m A Trucking Company! Presented by: Marc C. Tucker 434 Fayetteville Street, Suite 2800 Raleigh, NC, 27601 919.755.8713 marc.tucker@smithmoorelaw.com Presented by: Rob D. Moseley, Jr. 2 West
More informationInfoGard Healthcare Services. 2015 InfoGard Laboratories Inc.
InfoGard Healthcare Services 10 Steps To Protect My Covered Entity From Breach Your Presenters Alan Martin Account Manger Marvin Byrd Security Engineer Test and Certification Laboratory Healthcare Payment
More informationSEC Cybersecurity Findings May Establish De Facto Standard
Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY 10003 www.law360.com Phone: +1 646 783 7100 Fax: +1 646 783 7161 customerservice@law360.com SEC Cybersecurity Findings May Establish De Facto
More informationHealthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.
Healthcare Practice Breach Notification Requirements Under HIPAA/HITECH Act and Consumer Identity Theft Protection Act August 2013 Anchorage Beijing New York Portland Seattle Washington, D.C. www.gsblaw.com
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationThe Importance of Privacy & Data Security in a Changing World
Cyber, PrivaCy & Data SeCurity 360 www.mpplaw.com about our PraCtiCe Data is the lifeblood of our global economy. Collected, stored and transmitted, digital data not only imparts great opportunities, but
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More information2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012
2012 雲 端 資 安 報 告 黃 建 榮 資 深 顧 問 - Verizon Taiwan August 2012 1 It s All About Security Protecting assets from threats that could impact the business Protecting Assets... Stationary data Data in transit
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More information